The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
EU policy and regulatory developments
- Network Information Security Directive (NISD): The indications are that further trilogue negotiations to agree the Directive are due to take place, today 29 June. “Rapid” adoption of the NISD, and adoption of the GDPR by the end of the year, were among the conclusions adopted by Member States at the EU Council meeting on 25 and 26 June. A debrief from the trilogue is on the agenda for a meeting of the Council’s permanent representatives in Brussels tomorrow. The Council’s telecoms working party is due to meet on 2 July and according to this agenda there will be a debrief on the latest trilogue negotiations. Over the past week, further preparatory documents related to the trilogue – dated 23 and 26 June – have been flagged but not published on the Council’s website. Will the Directive get agreed at EU level before the Council Presidency passes from Latvia to Luxembourg on Wednesday? Datonomy is watching developments closely and will bring you the latest news.
- Industry website ComputerWorldUK is reporting that the pressure is mounting on EU lawmakers to include the e-commerce giants within the Directive’s scope following meetings on 24 June. At the meetings, ambassadors of the EU member states are reported to have sided with the Commission and gave their go-ahead for the Council to continue negotiations with the Commission and Parliament on 29 June.
- General Data Protection Regulation (GDPR): trilogue negotiations began on 24 June with the proposal’s Rapporteur MEP Jan Albrecht quoted by the MLex service as saying “the three texts on the table…are far more near to each other than I think all of us thought”. There is a six month provisional timetable for the negotiations, recently outlined by a group of MEPs here, aimed at adoption of the proposal by the end of 2015. Industry website, ContractorUK is however echoing the concerns voiced by the Institute of Directors that the GDPR will “saddle businesses with a host of new liabilities…and threaten much needed foreign investment”.
UK policy and regulatory developments
- The Department for Business, Innovation & Skills had launched a new free, online, interactive cybersecurity training course for procurement professionals. Following reports that 50% of data breaches in UK businesses are caused by inadvertent human error, the training will “increase awareness of common cyber risks and threats procurement professionals may experience in the workplace and how to prevent and deal with them. It provides advice on how to safeguard digital information, raise awareness of cyber issues with suppliers and gives examples of how to deal with issues such as information breaches in the workplace.”
- While not strictly a cybersecurity story, Matthew Hancock MP was the keynote speaker at the recent National Digital Conference 2015. Hancock spoke specifically about the digital transformation that is ongoing in the public and private sectors, noting that “for the first time, we are in a position to build digital foundations: made of data not paper, holding up platforms not silos. Common registers, common payments platforms, and common license systems, all based on common data standards.” Read the full speech here.
US policy and regulatory developments
- Secretary of State, John Kerry, has stated that the US and China will work together to develop a cyber “code of conduct”, following the recent Office of Personnel Management hack and the visit of a large Chinese delegation to Washington. Kerry claimed, “There was an honest discussion, without accusations, without any finger-pointing, about the problem of cyber theft and whether or not it was sanctioned by government or whether it was hackers and individuals that the government has the ability to prosecute.” Further coverage from SC Magazine here.
- The move by the US government was perhaps spurred on by recent, public comments by Chinese Foreign Ministry spokesman Lu Kang when he said “China and the United States had previously always had a good dialogue mechanism on issues of Internet security. Because of reasons that everyone knows about, and not because of China, this dialogue has stopped.”
- The Senate Republican Committee has published a critique of President Obama’s legislative cybersecurity efforts, claiming that the President’s efforts have “not kept pace with the increase of cyberattacks – either in size or sophistication”. The piece further criticises the NIST framework as an incomplete solution before proposing the Cybersecurity Information Sharing Act 2015 as a solution which aims to address liability protection for information sharing. The Bill was introduced to the Senate in March, yet after being reviewed by the Select Committee on Intelligence is still to be voted on.
Attacks, reports and other news
- SC Magazine is reporting that Europol has taken down a major Ukrainian cyber crime ring. The group was suspected of developing, exploiting and distributing Zeus and SpyEye Trojans (two of the most common malware agents detected this year) in a bid to target banks and then reinvesting the stolen funds (reportedly £1.4 million) in other criminal enterprises. The computers have been seized and are now being forensically examined in order to pursue prosecution.
- The BBC is reporting that the US still considers China to be the “leading suspect” in the recent US Office of Personnel Management hack. The news follows high ranking intelligence chief, James Clapper’s public testimony at a conference in Washington DC. China has been implicated in the attack from the beginning but maintain the public stance that it had nothing to do with the April 2015 attack that recently became public.
- CERT-UK’s weekly update focuses on the increasing array of tools systems managers have at their disposal such as Microsoft’s Local Administrator Password Solution (LAPS). A common local account with an identical password on every computer in a domain presents a risk of “pass-the-hash” credential replay attack. “LAPS essentially simplifies password management while helping users implement recommended defences
against cyberattacks.” Read the full update here.
- The Wall Street Journal is reporting somewhat of a coup for Facebook after they managed to lure Yahoo’s Cybersecurity Chief, Alex Stamos. Stamos is known for being a specialist in email and website encryption technologies. The move is the latest in a merry-go-round of top cybersecurity executives, after Joseph Sullivan left Facebook to join Uber.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.